Making multifactor authentication a reality

By Matt Leonard

May 11, 2017

What: “Strong Authentication in Cyberspace,” a Chertoff Group report that lays out eight principles of authentication for policymakers.

Why: A large number of network intrusions are the result of compromised passwords. Modern, standards-compliant, multifactor authentication is one of the most effective ways organizations can reduce cyber risk.

Findings: Multifactor authentication requires a user to provide at least two types of authentication like a password, biometric data, a cellphone or other information. To drive adoption of authentication that is secure, usable and protects privacy, governments should follow these principles when crafting legislation or policy:

Be sure any risk management plans explicitly address authentication.

Recognize that shared-secrets authentication (methods that use SMS or one-time passwords) are less reliable than more modern options.

Ensure that the authentication solution is easy to users to adopt.

Consider strong authentication options that use biometrics and cryptographic keys that are stored on local devices and never sent across the network.

Adopt solutions that cover mobile devices as well as desktops.

Build privacy into any solution.

Use biometrics as one way to provide authentication in a multifactor solution.

Focus on standards and outcomes, rather than a specific technology.

While strong security will help keep networks secure, “No technology or solution can completely eliminate the risk of a cyberattack,” the report concludes.

Before joining GCN, Leonard worked as a local reporter for The Smithfield Times in southeastern Virginia. In his time there he wrote about town council meetings, local crime and what to do if a beaver dam floods your back yard. Over the last few years, he has spent time at The Commonwealth Times, The Denver Post and WTVR-CBS 6. He is a graduate of Virginia Commonwealth University, where he received the faculty award for print and online journalism.